Insights

EU agreement on data protection reform

Posted on 16th December 2015 at 4:15 pm

Last night the biggest reform to data protection in the European Union for over two decades was finally agreed. The General Data Protection Regulation (“GDPR”) was first proposed by then EU Justice Commissioner, Viviane Reading, in January 2012 and was put forward by the European Commission, however it has taken almost four years for the negotiations between the Commission, Council and Parliament to come to a conclusion.

The GDPR was agreed alongside a new Data Protection Directive that will ensure that the data of victims, witnesses and suspects of crimes are duly protected in the context of a criminal investigation or law enforcement action.

This Directive will clearly have a significant impact on the criminal justice sector. However focus here will be on the GDPR and what impact it will have on businesses and individuals.

Impact

The Commission claim that the GDPR will enable people to better control their personal data whilst also creating more opportunities for businesses in the digital single market by creating a system of modernised and unified rules that will cut red tape and reinforce consumer trust.

Impact on businesses

Singleset of rules which will make it simpler and cheaper for companies to do business in the EU;

Obligation on businesses to appoint a Data Protection Officer independently to ensure compliance with the GDPR;

One unified supervisory authority, this is known as the “one stop shop”;

Companies based outside the EU will have to apply the same rules as EU companies when offering service within the EU;

Data protection safeguards will have to be built into products from their earliest stage of development, thus bringing the rules into line with the “Privacy By Design” principle that personal data usage should be kept to an absolute minimum and not be used beyond its original purpose;

Companies that fail to comply with their obligations under the GDPR can face fines of up to 4% of global sales, with data controllers and processors being jointly and severally liable for any breach.

Benefits for small and medium enterprises

No more notifications to supervisory authorities are required. This currently costs business around £90million a year in the EU;

Where data requests are excessive, SME’s can charge a fee for handling the request;

SME’s will be exempt from appointing a Data Protection Officer where data is not their core business activity;

There will be no requirement on SME’s to have an impact assessment unless they are considered to be high risk.

Impact on individuals

Easier access to their own data: individuals will have more information on how their data is processed and this information should be available in a clear and understandable way;

Right to data portability: it will be easier to transfer personal data between service providers;

A clarified “right to be forgotten”: when individuals no longer want your data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted. This will have an impact on businesses that store personal data eg. marketing companies;

Right to know when your data has been hacked: companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures;

Age of consent: the GDPR allows EU Member States to set the age of consent for data processing. The GDPR sets this at 16 but Member States can lower this to 13.

Conclusion

Broadly speaking the GDPR is a consumer victory. The heavy emphasis on enforcement sanctions, the relatively short time until application (the new rules will become applicable two years after the formal adoption at the beginning of 2016) and the added complications of how to be compliant in the world of cross-border data flows (https://www.macroberts.com/the-aftermath-of-the-safe-harbor-decision/) mean there is much to consider for businesses. Whilst there are a number of benefits to smaller businesses, all businesses will have to make changes to accommodate the new rules.

MacRoberts has expertise in and advises on a wide range of data protection law, particularly the obligations on organisations in relation to personal data and security measures. For more information, please contact Valerie Surgenor, David Flint or David Gourlay.

Author

Val Surgenor is a Partner in our IP, Technology & Commercial team and has over 15 years’ experience in advising on data protection and, since its introduction, the Freedom of Information (Scotland) Act 2002 (FOISA).

Primarily involved in non-contentious IP and information technology, Val advises private companies and other private/public/third sector organisations and institutions, as well as individuals, on a wide range of commercial matters, including commercial contracts, patents, trademarks, design rights, copyright and other intellectual property licensing, transfer, commercialisation and protection of IP, computer technology contracts, including hosting and cloud arrangements, and commercial agreements.

Val is one of the few Scottish lawyers recognised by Chambers UK as a “Leader in the Field” of data protection and is listed in Who’s Who Legal 2018 as an expert in Data Privacy & Protection. She was also Chair of the Scottish Fundraising Implementation Group, tasked by the Scottish Government with the establishment of the Independent Fundraising Standards and Adjudications Panel for Scotland, and is now one of the Independent Panel’s members.

Contact us

Sections

Tools

Stay in touch with MacRoberts

Legal changes can have a dramatic impact on you and your business. To ensure you are kept abreast of the latest developments and have the knowledge to make timely, effective decisions, please sign up for our free updates.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.